 I want to take this opportunity to show you two new plugins for my Oly Dump tool. Let's first look here at this first sample. This is a malicious sample with macros. But this time we are not going to focus on the macros. We are going to focus on stream 15 and 16. So inside the macros storage, let's call it a folder, there is another folder, LINN and inside that there is a stream F and a stream O. Now when you encounter this inside an Oly document, an MS Office document, you know that this here is actually a form, a user form with field names and field values. So let's take a look at this stream 15 and 16. So here you see the word mesomorph. This is the name of a value, textbox for example, that is stored inside the form, the user form. And if we look at 16, you can actually see a URL here. Now if we look for mesomorph, this name here inside the VBA code, so Oly Dump, let's select all VBA code and do a grep for mesomorph like this. So we see indeed that the user form LINN is accessed and its property mesomorph, which is assigned to the variable pandemic. So let's search for pandemic and here you can again see the assignment and here a call. So there's an object on which the method open is called with three parameters and the second parameter is pandemic and the third parameter is false. So this is very likely an open method of an XML HTTP object and to download a payload via a URL and this here should be a get or post statement. So let's do a search and you can see a string reverse of TEG, so this is get. Now this shows you that you can have data that is like a URL that is not stored inside the VBA code in the micros, but it is stored inside other properties like a user form. I have two plugins, the first plugin is plugin HIFO and let's run it on this one and you can see that this plugin detects the URL and shows it to you. So this plugin will look for forms that end with dash O and then search for strings that starts with HTTP. This is actually the abbreviation, this forms here the name of the plugin, it's an abbreviation HIFO. So that's the first plugin. Let's take a look at another sample. This one here and you can see this one has several user forms. Let's take a look at this user form here, so we select A13 and here in the strings you can see text box 1, text box 2 and text box 3. So this is a sample with a user form that has several properties, several text boxes and if we look at the values in the stream A14 we can see here scripting fire system object Tahoma1 that is the name of the font for that text box, then temp again Tahoma1 and then here are the F and so on dot VBA also Tahoma1 font. I have a plugin to pass this information because this is actually structured and the plugin is called plugin stream underscore O. We can run it and then you can see that for every user form with the slash O, it finds all the data inside the, so the properties inside the stream. So here I have the scripting file system object, the temp and the backslash VBE dot VBE. And here I have other values. This plugin also takes an option. You can pass options to plugins with the plugin options option and the option it takes is dash D debug and then you will have more information here with the type, the length and the type of value here that was found. And if it is this type of value, this is a text box, then I also print out the text of that text box. Here this year 35, this is for a font.